Goldman Sachs Former Employee Beats Conviction For Theft of High Frequency Trading Code. Again.
The New York State conviction against Sergey Aleynikov, the former Goldman Sachs employee charged with stealing its high-speed trading program, has, like the federal conviction before it, been overturned. The recent ruling by the New York State Supreme Court in Manhattan on July 6th, 2015 with regard to this long-standing dispute between Goldman Sachs and Sergey Aleynikov adds another inexplicable turn to a well-publicized legal proceeding but also once again demonstrates the risks that weigh heavily on virtually all employers in the asset management industry: defending against employee theft of intellectual property. Such intellectual property ("IP") can include trading strategies, portfolio holdings, investor information, employee data, trade secrets, proprietary and confidential information and/or other sensitive data.
Mr. Aleynikov, a former Goldman Sachs software programmer, was first arrested on July 3, 2009 by federal authorities for allegedly stealing Goldman's high frequency trading program. Aleynikov had accepted a job from a high frequency trading start-up and admitted that he downloaded parts of Goldman's proprietary code, in anticipation of his new employment. In December 2010, he was convicted by a federal jury and in March, 2011, sentenced to more than eight (8) years in prison. After serving just less than one year of this sentence, in February 2012, the conviction was overturned and vacated by the United States Court of Appeals for the Second Circuit, which ruled that federal prosecutors in the case had misapplied the corporate espionage laws against him. As a direct response to the Appellate Court's holding, Congress amended one of those federal statues, the Economic Espionage Act of 1996, by enacting the Theft of Trade Secrets Clarification Act of 2012, with the intent of expanding the scope of the federal law and allowing it to better address modern-era employee theft. Less than eight months later in August, 2012, Mr. Aleynikov was arrested again and this time charged with violating two New York State criminal laws (Unlawful Use of Secret Scientific Material and Unlawful Duplication of Computer Related Material (Sections 165.07 and 156.30 of the NY Penal Law, respectively)) and on May 1st, 2015, a 10-person jury convicted Mr. Aleynikov of these charges.
However on July 6th, 2015, the New York State Supreme Court found insufficient legal evidence to support the jury's conviction of Mr. Aleynikov on any charge and his second conviction was dismissed. The Court noted that the prosecution failed to prove that Aleynikov committed the "obscure" crimes set forth in the two state criminal statutes both of which pre-date the digital age. This subtle observation by the bench demonstrates a thematic and ongoing issue for those who are charged with protecting IP in the asset management industry: how technology and its modern applications are outracing and outwitting the laws designed to govern such applications.
Commentators have reported excessively on the most recent iteration of this case, mostly focusing on a variety of off-topic, sensationalized elements, such as claims of a misguided prosecution, a puzzled bench, intra-jury disputes (and one juror's allegation of an attempted poisoning by a co-juror), double jeopardy implications and other media-centric story lines surrounding the ultimately flawed conviction. Sorting through these distractions however, there are important legal and compliance lessons, as well as some practical takeaways, from this case for the asset management industry, such as:
1. Understand the Risks. Fund managers ("Managers") should observe the legal and regulatory landscape in this area and stay aware of key developments, such as the Aleynikov case. We recommend that Managers commit to this process and to devote appropriate time and effort to protect the underlying IP being used by the fund(s) they manage. Managers that remain passive, relying on the (entirely reasonable) belief that the various state and federal laws intended to make such conduct unlawful will provide them adequate protection and sufficient redress, are apparently and unfortunately misguided. Managers taking that approach could find themselves answering difficult questions from investors, quite possibly in the context of a legal proceeding.
2. Stay Informed of the Recent Legal Developments and Related Analysis. Because the law in this area is still evolving, both the quantum of protection available and the circumstances under which such protections will apply, are unclear. For example, this most recent ruling overturning Aleynikov's second conviction was based in part on the prosecution's inability to demonstrate that Aleynikov actually made a "tangible reproduction" of the code at issue. From solely a practical point of view, it seems irrational that in the modern day digital era, the protections provided under a statute designed to address theft of IP would be conditioned upon a showing of a "tangible reproduction" of the data at issue. Arguably, the last thing any mal-inclined, tech-savvy employee would do in stealing a computer code would be to print out a hard copy or other "tangible reproduction" and walk it out the door. We expect both statutory and common law to evolve, albeit gradually, to better accommodate cases similar to the Aleynikov matter.
3. Be Proactive. Managers should indeed stay abreast of the case law and other legal developments in this area but should not seek to emulate them. Put another way, litigation is an inherently reactive strategy and one that is neither predictable nor easy to manage. Taking proactive and preventative measures to avoid or mitigate potential IP loss and to otherwise protect the underlying IP, is preferred. For example, in Aleynikov, the defendant did not deny taking the code for use with his new employer, yet both the federal statutes in the first conviction, like the New York State criminal laws employed in the State conviction that followed it, suffered from a failed application to a seemingly straight-forward and real-life fact pattern. We strongly suggest that Managers empower themselves by taking immediate and affirmative action to protect all of the underlying IP entrusted to them for safekeeping by the very investors who invested in the Manager and/or the fund and, depending on the data involved, the IP itself. For a specific discussion on how to protect fund IP from employee theft internally, please email us here: firstname.lastname@example.org.
4. Be Compliant. Cybersecurity risks which include both external and, like Aleynikov, internal threats, are pervasive. In addition to the regulatory push by the Securities and Exchange Commission (illustrated by the 2014 cyber sweep by the its Office of Compliance, Inspections and Examinations and the recent Cybersecurity Guidance issued by its Division of Investment Management) and other financial services regulators, the failure to understand, assess and prevent cyber-attacks and related data theft, conversion, misappropriation or other losses, can result in Managers being embroiled in protracted, expensive and embarrassing regulatory or legal proceedings, involving both criminal and civil forums. Furthermore, a Manager's failure to take adequate measures to prevent against such attacks is an approach that seems less and less reasonable these days and thus such inaction could lead to direct claims by investors for breach of the Manager's fiduciary duty or violations of the securities laws, including the Investment Advisers Act.